If sensors don’t
sound like a big deal, remember that today’s smartphones are stuffed with them
in the form of accelerometers, magnetometers, gyroscopes, GPS, cameras,
microphones, ambient light sensors, barometers, proximity sensors, and many
others.

Researchers have
been looking at whether these sensors could be used to identify devices for
some time using machine-learning algorithms without much success, but the
Cambridge researchers finally cracked the problem with a novel proof of concept for iOS
devices using M-series motion co-processors.

And there’s a
good reason why sensors represent an attractive target, say the researchers:

Access to
these sensors does not require any special permissions, and the data can be
accessed via both a native app installed on a device and also by JavaScript
when visiting a website on an iOS and Android device.

In other words,
unlike traditional fingerprinting nobody is going to stop them, ask for
permission to do what they’re doing, or even notice it’s happening at all,
rendering the whole exercise invisible.

Google Chrome
extension developers were fuming last week over a new approach in the way that
the browser will handle extensions. It will limit the way that Chrome lets
browsers block content – unless you’re an enterprise user.

In November 2018,
Google proposed an update to the Manifest system, which restricts what
extensions can do in Chrome. In its forthcoming Manifest v3, it wants to change
the way that browser extensions intercept and modify network requests from the
browser.

The proposed
change would limit the functions of a specific application programming
interface (API). APIs define how a piece of software can be spoken to by other
bits of software.

Today, extensions
running on the Chromium browser use the webRequest API to intercept
network requests. They can use it to analyze and block requests from online
domains like advertising networks.

Chromium’s
developers want to limit the blocking form of webRequest, instead allowing only
a neutered version that simply observes network requests. If developers want to
block a site, they’d need to use another API called declarativeNetRequest.

The move would
improve performance and improve user privacy, said Chromium’s developers. When
using webRequest, Chrome gives the network request to the extension and waits
for its decision. Under declarativeNetRequest, the extension tells
Chromium its rules and lets the browser use those to handle the decisions
itself.

In 2017, Facebook
banned several fake news sites. One of them was the one that “Tamara” (not her
real name) was writing for.

Poof! went her
livelihood. Poof! went her boss’s Facebook Messenger account. When she finally
got through to him, he sounded “shook up,” said Tamara, a Macedonian fake-news
writer who recently described to the BBC what it’s like
to manufacture mental sludge.

She didn’t hear
from him again until last summer, when “Marco” – an awkward young man who
seemed to be embarrassed about being younger than his employee – called to see
if Tamara wanted to write for another website. She declined.

It’s not that she
was overwhelmed with guilt that her job consisted of copying and pasting
obviously made-up stories from other sites after searching for strings such as
“Muslim attacks,” then creating a mashup of fact and fiction and searching
Google for images to attach to the articles she published.

My take was
that if people are stupid enough to believe these stories, maybe they deserve
this. If they think this is the truth, then maybe they deserve this as a way of
punishment.

And it’s not that
she agreed with the content she was writing. Tamara says she’s a liberal, and
she was “horrified” by the content she had to rewrite. She told the BBC that
she basically turned off her brain and became a set of hands at a keyboard as
she rewrote US articles to hide them from being flagged as plagiarized content.

I try to split
myself and my own beliefs from the stuff I was writing. So I tried to stay as
out of it as I can. I just saw it as writing words. I tried not to think about
writing propaganda.

G Suite users will have ‘confidential’ Gmail mode set to ON
by default

By Lisa Vaas

Google announced
on Wednesday that on 25 June 2019, its Gmail confidential mode will be switched
on by default as the feature becomes generally available.

The feature gives
G Suite users who use Gmail the option to send emails with expiration dates or
to revoke previously sent messages. It also prevents recipients from
forwarding, copying, printing, or downloading messages. Since confidential mode
will be switched on by default, admins will have to switch it off if they so
choose – for example, if they’re in industries that face regulatory
requirements to retain emails.

Google introduced
confidential mode for personal Gmail accounts last year and made the
beta available in March 2019.

The screenshot/photo
caveats still apply

As with other
ephemeral-messaging services, including Snapchat
and ProtonMail, there’s nothing stopping recipients from doing a screen grab of
a message or simply taking a photo of it.

And as
we noted in April 2018, when Google first gave admins a heads-up about
confidential mode, there’s a reason why the company called it “confidential”
rather than “private.”

There are lots of
books on tools and techniques to secure software containers, but what happens
when someone discovers a basic architectural flaw? And what do you do when
there’s no working patch for it?

That’s the
situation in the Docker universe this week after Suse developer Aleksa Sarai uncovered a bug in the way
that the container framework handles path names.

The bug lies in
FollowSymlinkInScope, which resolves file paths given to the Docker container
system. Because the function doesn’t immediately use the file path after
resolving it, it creates a race condition. An attacker who can interfere with
the resolved file path could change it, potentially giving them read-write
access to the host OS as a root user.

Containers are a
software packages that contain an application and its dependencies. They’re
designed to run in exactly the same way, regardless of infrastructure and work
by virtualizing an operating system (unlike Virtual Machines that virtualizing
hardware). Like Virtual Machines, Containers are not supposed to be able to
influence their host container.

This all sounds
very serious, and the National Vulnerability Database (NVD) ranks the bug
severity as high. Nevertheless, Docker security engineer Justin Cormack had his
own context for the flaw, in a statement mailed to Naked Security:

The vulnerability
is a rare/unlikely scenario that would require an already compromised container,
a copy being made without pausing the container, and a bad actor that knows
when that copy is being made.

Someone would
have to be using docker cp, a docker command used to copy files between the
host OS and the container. The attacker would have to modify the files at the
same time the copy was being made. That window is just a few milliseconds long,
the company pointed out in its mail.

ACS

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC. We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.